Access a database with fine-grained access control

Stay organized with collections Save and categorize content based on your preferences.

This page explains how to access a Cloud Spanner database when you are a fine-grained access control user.

To learn about fine-grained access control, see About fine-grained access control.

As a fine-grained access control user, you must select a database role to use to execute SQL statements and queries, and to perform row operations on a database. Your role selection persists throughout your session until you change the role.

When you submit a query, DML, or row operation, Cloud Spanner checks authorization by using the following rules:

Google Cloud console

Cloud Spanner first checks if you have database-level IAM permissions. If so, the Google Cloud console doesn't show a database role selector, and your session proceeds with your database-level permissions.

If you have only fine-grained access control privileges and no IAM database-level permissions, the Google Cloud console allows you to select a role, and your session proceeds with your fine-grained access control privileges.

Google Cloud SDK

If you specify a database role when you submit a query, DML, or a row operation, Cloud Spanner checks fine-grained access control privileges. If the check fails, Cloud Spanner does not check for database-level IAM permissions, and the operation fails.

If you don't specify a database role, Cloud Spanner checks database-level IAM permissions, and if the checks succeed, your session proceeds with your database-level permissions.

Follow these steps to specify a database role:

Console

  1. Select a database, and then on the database Overview page, click the Change database role (pencil) icon adjacent to the Current role field.

    By default, when a fine-grained access control user logs in, this field has the value public. For information about the public system role, see Fine-grained access control system roles.

  2. In the Change database role dialog, select another role from the list of available roles.

  3. Click Update.

    The Current role field shows the new role.

gcloud

  • To specify a database role when you use the gcloud spanner databases execute-sql command, add the --database-role option as follows:

    gcloud spanner databases execute-sql DATABASE_NAME \
    --instance=INSTANCE_NAME \
    --sql="SELECT * from TABLE_NAME;" \
    --database-role=ROLE_NAME